Vulnerability of Certain Stream Ciphers Based on k-normal Boolean Functions

Transcription

1 Vulnerability of Certain Stream Ciphers Based on k-normal Boolean Functions Miodrag Mihaljevic RCIS-AIST, Tokyo A Seminar Lecture at CCRG School of Physics and Mathematical Sciences Nanyang Technological University (NTU) Singapore, October 06, 2010 (15:30-16:30) 1

2 Roadmap Introduction and Motivation for the Work A Class of Stream Ciphers Based on the k-normal Boolean functions LILI-128 Keystream Generator Underlying Ideas for a Novel Cryptanalysis Employing a Weakness of k-normal Boolean Functions Pre-Processing Secret Key Recovery Performance and Comparison Concluding Remarks 2

3 I. Introduction k-normal Boolean Functions and motivation for the work 3

4 k-normal Boolean functions 4

5 Illustrative References on k-normal Boolean Functions C. Carlet, The complexity of Boolean functions from cryptographic point of view, in Complexity of Boolean Functions, Dagestuhl Seminar Proceedings 06111, C. Carlet, On the degree, nonlinearity, algebraic thickness and nonnormality of Boolean functions, with developments on symmetric functions, IEEE Transactions on Information Theory, vol. 50, pp , C. Carlet, H. Dobbertin and G. Leander, Normal Extensions of Bent Functions, IEEE Trans. on Information Theory, vol. 50} no. 11, pp , P. Charpin, Normal Boolean functions, Journal of Complexity, vol. 20, pp ,

6 Illustrations of Constructions which End-up with k-normal Boolean Functions 6

7 Statements of Claude Carlet regarding k-normal Boolean Functions The complexity criterion we are interested in is non-knormality with small k (smaller is k, harder is the criterion). This complexity criterion is not yet related to explicit attacks on ciphers. The situation of the degree and of the nonlinearity, when they were first considered, was similar. For instance, the linear attack has been discovered by Matsui sixteen years after Rothaus introduced the idea. 7

8 Motivation and Goals Consideration of vulnerabilities of cryptographic primitives which employ k-normal Boolean Functions. Cryptanalysis of particular stream ciphers which employ k-normal Boolean Functions. Developing of dedicated algebraic which employ a weakness of k-normal Boolean Functions. 8

9 II. Certain Keystream Generators and k-normal Boolean Functions Nonlinear Filter Generator and Combination Generator with k-normal Boolean Functions 9

10 Boolean Functions and NF Nonlinear Filter (NF) is a textbook keystream generator but also can be considered as approximations of certain more complex generators. Design criteria and cryptographic complexity consideration of Boolean functions is usually related to their employment in NF. 10

11 Nonlinear Filter (NF) Linear Finite State Machine (LFSM) k-normal Boolean Function 11

12 Illustrative References M. Fossorier, M.J. Mihaljevic and H. Imai, Modeling Block Encoding Approaches for Fast Correlation Attack, IEEE Transactions on Information Theory, vol. 53, no. 12, pp , Dec E. Pasalic, "On Guess and Determine Cryptanalysis of LFSR-Based Stream Ciphers", IEEE Trans. Inform. Theory, vol. 55, pp , July

13 A Generic Framework for Cryptanalysis mounting an attack for internal state or secret key recovery 13

14 Two Phases Framework for Cryptanalysis Phase I: Phase II: Pre-Processing: Independent of any Secret Key or Sample Should be done only once. A Preparation for the secret key recovery Generator Internal state and Secret Key Recovery for a given sample. 14

15 III. LILI-128 Keystream Generator An Illustration of Stream Cipher Vulnerable Employing a Weakness of k-normal Boolean Functions 15

16 A Note on LILI-128 LILI-128 was submitted to NESSIE crypto-project and reported in SAC 2000 Proceedings (LNCS) Although broken via a number of attacks it still serves as test-bad for illustration of power of novel techniques for cryptanalysis and their comparison with the previously reported ones. 16

17 A Simplified Scheme of LILI-128 Keystream Generator 39-length LFSR clock control 89-length LFSR (k=4)-normal Boolean function of 10 arguments binary keystream sequence 17

18 Algebraic Normal Form (ANF) of Boolean Function Employed in LILI

19 IV. Underlying Ideas and Theoretical Framework for the Cryptanalysis for mounting an attack for internal state recovery 19

20 Main Underlying Idea 20

21 Notes 21

22 Theoretical Framework (1) 22

23 Theoretical Framework (2) 23

24 Theoretical Framework (3) 24

25 Theoretical Framework (4) 25

26 Theoretical Framework (5) 26

27 Theoretical Framework (6) 27

28 Theoretical Framework (7) 28

29 Origin for Cryptanalysis 29

30 Two Phases Framework for Cryptanalysis Phase I: Phase II: Pre-Processing: Independent of any Secret Key or Sample Should be done only once. A Preparation for the internal state recovery. Internal State Recovery for a given sample. 30

31 IV. Pre-Processing Preparation Phase: Should be Performed Only Once 31

32 Pre-Processing Step I 32

33 Pre-Processing Step II 33

34 Algorithm of Pre-Processing: Output 34

35 V. Algorithm for Internal State Recovery for a Given Sample Recovers the Internal State 35

36 Structure of the Algorithm for the Internal State Recovery 36

37 Processing Steps (1) 37

38 Processing Steps (2) 38

39 VI. Complexities of the Attack and Numerical Illustrations Complexity of Pre-Processing Required Sample Complexity of Processing 39

40 Complexity of Pre-Processing 40

41 Required Sample 41

42 Complexity of Processing 42

43 43

44 VII. Comparison with Previously Reported Attacks 44

45 45

46 VIII. Concluding Notes Summary of the Talk and Some Open Problems 46

47 Main Messages of This Talk This talk points out some possible vulnerabilities of cryptographic primitives which employ k-normal Boolean functions. Particularly, this talk confirms that the Non- Normality is an important design criteria for Boolean functions A novel algorithm for cryptanalysis of stream cipher LILI-128 more powerful than previously reported ones has been proposed and discussed. The results on cryptanalysis of LILI-128 are a background towards future activities on a framework for using weaknesses of k-normal Boolean functions based on dedicated algebraic and correlation attacking approaches. 47

48 Some Open Problems CRYPTANALYSIS General issues of vulnerability of nonlinear filters based on k-normal Boolean functions Dedicated cryptanalysis of stream ciphers which employ k-normal Boolean functions: Grain (for example) DESIGN Techniques for design of Boolean functions which minimizes k-normality 48

49 Thank You Very Much for the Attention, and QUESTIONS Please! 49